HPGETENT(1)HPGETENT(1)NAMEhpgetent - Generate reports and validate winbind users and groups data.
SYNOPSIShpgetent [dataqbase][key...]
or
hpgetent-d 1-10]
hpgetent-Ud 1-10][-V][-v][-D domainname or []]
hpgetent-Pd 1-10][-V]
hpgetent-Gd 1-10][-v][-V][-D domainname or []]
hpgetent-u username or UID[-d 1-10][-x][-v][-V][-w][-m][-s][-q]
hpgetent-g groupname or GID[-d 1-10][-x][-v][-V][-w][-m][-s]
DESCRIPTION
This tool is part of the CIFS WTEC Support Tools suite.
hpgetent is a program written to provide users and groups reports not
available through other tools. Although it contains winbind-specific
features, it is designed to provide reports for non-winbind name ser‐
vices as well. Options can be provided to a single command line for
various levels of details, often eliminating the need for multiple com‐
mands. It uses the HP-UX name service backends to gather details when
possible. wbinfo is called to confirm that HP-UX name service func‐
tions return all the names reported in the winbind database. It is also
called when winbind enumeration is disabled to gather information not
available through the name service function calls.
OPTIONS
- When no primary parameter [P,U,G,u,g] is provided, hpgetent re‐
ports user account details and group memberships from the ses‐
sion issuing the command.
-d [1-10] <P|U|G|u|g||>
This parameter turns on the specified level of debugging. Log‐
ging is done to stdout. Levels 1 and 2 can be useful for some
winbind troubleshooting while levels 3 - 10 are more useful for
debugging issues in hpgetent. Using any debug level will pre‐
vent temporary files, containing the output of testparm and
wbinfo calls, from being removed at the completion of the pro‐
gram.
The following is a brief description of the logging done at the speci‐
fied level.
1 Report unique printf numbers for all print statements.
2 Report wbinfo and testparm commands plus extra error in‐
formation.
3-5 Key variables.
6 Function entry and exits.
7,8 More variables.
9,10 Compare and loop variables.
-P This parameter reports configured winbind parameters from test‐
parm and the current running status of winbind including the
last idmap entries for the users and groups. LDAP parameters are
included in the report if the LDAP backend is used.
-U This option displays all users reported by the HP-UX name ser‐
vice functions. It can be limited to a specified domain by
adding the "-D domain" parameter. When winbind user enumeration
is disabled, the -w option can be added to enable enumeration
through checking all used UIDs in the idmap range. NOTE: Adding
the "-w" option can take a long time when checking large data‐
bases. It will stop looking when it finds 25 unassigned en‐
tries. Adding the "-d1" option can be useful to see entries no
longer assigned.
-G This option causes all groups to be reported. It can be limited
to a specified domain by adding the "-D domain" parameter. When
winbind groups enumeration is disabled, the "-w" option can be
added to enable enumeration through checking all assigned GIDs
in the idmap range. NOTE: Adding the "-w" option can take a
long time in large datebases. hpgetent stops checking GIDs when
it finds 25 unassigned entries. Adding the "-d1" option can be
useful to view entries without valid assigned groups.
-D [domain_name] or [] <|U|G|>
This option is used to limit users or groups reports to the
specified domain. Using "[]" in place of the domain name causes
the report to be limited to the local domain. This includes all
users or groups where there is no preceding domain name includ‐
ing entries returned from files or winbind users in the local
domain when "winbind use local domain = yes" and winbind enumer‐
ation is enabled.
-q <|u|>
This option is used to add quota information to the user de‐
tails.
-u [username] or [UID]
This option causes hpgetent to report details about a specific
user account. hpgetent uses HP-UX name service functions to
find the specified username or UID. If a number is entered and
it is a valid UID, it will use getpwuid(), if it couldn't be
found, the -w option is specified and the UID is in the winbind
range, then it will check winbind for the UID. If it still
isn't found, it will check if the number is a valid winbind
name. Windows accepts user accounts of all numbers. getpwnam()
is called if the username isn't a valid UID. If the username
entered doesn't contain a prepended domain name and the -w op‐
tion is specified, hpgetent prepends the local winbind domain
name for the winbind search except when "winbind use default do‐
main = yes".
-g [groupname] or [GID]
This option causes gegetent to report details about a specific
group. Searching for the GID or group name is similar to what
is described above for users.
-m <|u|g|>
This option causes the members of a group to be included with
the group details when used with the -g option. When used with
the -u option the groups that the user is a member of are in‐
cluded in the detailed user report. Adding this option is not a
trivial search when combined with the -w option, especially when
winbind enumeration is disabled. Getting the groups that a user
is a member of is especially complex and is not recommended with
the -w option unless the winbind databases are quite small or
winbind user and groups enumeration is enabled. hpgetent checks
primary group IDs as part of the members check.
-w <|u|g|U|G|>
This option is used to allow hpgetent to query the winbind data‐
base directly using wbinfo. This is useful when winbind enumer‐
ation is disabled or if there is a question if all UIDs or GIDs
are being returned when using the -G or -U parameters.
-v <|U|G|>
This option is used to validate data from the HP-UX name service
backend. hpgetent performs a getpwuid() or getgrgid() of each
ID in the appropriate winbind idmap range. If an ID doesn't
produce a valid username or groupname, wbinfo is called with the
ID to check if it can be found in the winbind database. All
discrepancies are noted in the report.
-S <|U|G|u|g|>
This option causes SIDs to be reported for winbind users and
groups. The wbinfo program is used to get the SIDs.
-s <|U|G|u|g|>
This option causes output to be reported in script friendly,
/etc/passwd or /etc/group format. The user can use the -d1 op‐
tion to see any errors reported.
-x This option causes hpgetent to search for and report duplicate
usernames or groupnames. It also handles the corner case of a
Windows name made up of number characters that matches a valid
UID or GID. NOTE: These searches will take an extended time
since all entries of all name service databases must be
searched. This can come in handy since Windows names are case
insensitive and HP-UX names are case sensitive increasing the
likelihood of a duplicate name.
-V <|U|G|u|g|P|>
This option causes hpgetent to report hpgetent version informa‐
tion in the reported output.
ADDITIONAL NOTES:
If "\" is used as the winbind separation character, the user should use
"\\" as the separator in the hpgetent command. hpgetent will handle
all internal calls wbinfo and the name service functions appropriately.
The hpgetent program uses wbinfo -r to enumerate the groups a user be‐
longs to if winbind groups enumeration is disabled. If enumeration is
enabled and the -wvmu [username] options are used, hpgetent verifies
the list of groups returned by the HP-UX name service functions by also
listing the groups returned by wbinfo -r.
When switching from enumeration disabled to enumeration enabled or
vice-versa, winbind needs to be restarted. After restarting winbind,
it can take some time for changes to be reflected properly.
DEPENDENCIES
1) The session permissions must allow the use of the wbinfo
program.
2) The session must have permissions to read and write tempo‐
rary files to /tmp. These files will be removed when exiting
the program unless the -d option is used.
3) wbinfo and testparm must be in /opt/samba/bin
4) Reporting quotas requires the proper permissions to run the
quotactl() system call. Use "man quotactl" for more details on
this function.
EXAMPLEShpgetent passwd = hpgetent-swU
hpgetent group = hpgetent-swG
hpgetent passwd win_dom+tuser1 = hpgetent-su win_dom+tuser1
The [database][key] format is included to be compatible with the linux
getent program. The output is also compatible. The option format of‐
fers greater customization and features.
The first two commands above show how to request all users then all
groups. The -s option indicates to report all entries in /etc/passwd
or /etc/group format and the -w option indicates to use wbinfo. The -w
option is needed if winbind enumeration is disabled, or if the user is
also interested in finding any winbind users that are not reported by
the HP-UX name service backends.
In the third command shown above, the "win_dom" is the Windows domain
name, the "+" character represents the winbind separation character and
"tuser1" represents a username for which the details are desired. The
-s option indicates that the report should be formatted in /etc/passwd
format.
SEE ALSOwbinfo(1), winbindd(8), testparm(1), smb.conf(5), getgrent(3C), getp‐
went(3C), quota(5), quotactl(2)AUTHOR
Lance Swift, HP WTEC NOS Support Team
HPGETENT(1)
